
inrun 












(X s 




From: Da: iel Ellsberg 

Tot Albert Wohlstetter, Frank Eldridge 


J x^v 4 ere./ - ' 
/ J 11 c 


AO 


^0 21 


Subj t Strains on the Fail-Safe System ? 




fappii Copies to: Harry Rowen, Alain Enthoven, Ed Oliver, Jay Wakeley, Dick Mills, 
R.B. Morrow, &i C.J. Hitch i &,// J^n^. 


» 1 - 




I 


I 














I 




If "an order is an order," and we can predict Mwfldimt iy xttat with 10(# 
confidence that "if Lemay said it, they'll do it," then we need have no worries 
about the fail-safe system; the positive control instructions are perfectly 
explicit that, "'no order to go ahead* means, 'you are ordered to come back.'" 

But if we imagine that virtually any order might be disobeyed under certain 
circumstances, we might be curious—with an order as important as this one—as to 
what those circumstances might look likex (and how likely they seem to be). 

disobedience might arise from laziness, cowardiee, or personal 
goals; I will ignore these possibilities. Among elite troops (like SAC pilots) 
a more significant pressure to "disobey" might arise when it appeared necessary 
to break the letter of one order im to carry out the "real" wishes of their 
superiors. the SAp^pilo^ 

If "no go-ahead command" were a totally unambiguous signal/of ±h±w theaesires 
of his superior officers (i.e., "come back"), this sort of pressure to 

disobey his positive control orders would not even arise. But when there is "noise" 

In the communication system^ there is a possibility that this w signal* 1 lack 

of go-ahead command) might not reflect the current wishes of his commanders; they 
might have ordered him to go ahead, but their signal failed to get through. 

Thus, a possible consequence of his obeying the order would be, "Coming back 
when they really wanted me to go ahead." A good pilot is inevitably going to,regard 
this as a costly error (even if he does regard the alternate mmm possible--going 
ahead when they wanted him to come back—as just as costly, or as very much more 
costly). But so long as he regards it as having low probability , the thought will 
not put a heavy strain on his willingness to obey his positive control instructions. 

He will regard it as having low probability, for example, if he estimates that: 
a) the chance that they went a go-ahead order (i.e., the chance that this is not 
another false alarm) is low; and b) the conditional probability that, if the order 
were sent, it would not get through to him, is low, (The latter seems likely to 
be low—though not 0—if only a "natural" breakdown of communications is considered.) , 
But what if he regards this conflict between the letter of his positive control 
orders and the actual current desires of his superiors as having a fairly high 
probability, at the moment he makes his decision? It seems to me that this might 
put a strain on the literal obedience of every pilot in the air; and if there were 
200-1*00 pilots in the air, it is not hard to imagine that at least one or more 
would resolve the strain by going ahead. At the very least, some of them would 
come closer to it than they would in the earlier situation: which in itself is 
3 possibility worthy of some attention. 

Now, why would he ever put a fairly high probability on the possibility that 
a go-ahead signal had been sent and had Sa&r failed to get through? It strikes 
me that two conditions night contribute to that estimate: 

1) He had been allowed to get up to the positive control line without being called 
back, I have a hunch this is not typical training procedure, and that if there 
have been ary real false alarms, thte have not persisted this long, (Bill Jones, 

Dick Mills, and Jay Wakeley have the r impression that this is correct). If so, 
then as soon as he gets much beyond the furthest point that he ever attained in 

a previous training alert of false alarm, tkwrwiiiiiJwi i MW his subjective probability 
that this is the "real thing," begins to go way up; it might or might not become 
"more likely than not." Say it hits 3C$. 

2) Suppose that t he information in E ldrA dge*3 S-9£ has somehow trickled through 
to him. Then the conditional probability that communications might break down 
given an SU attack could look like 100£, or close to it. 

Under these two conditions (a prior training policy that made this flight—— 
which, we assume, is in fact a Mtr fqlse alarm—twak seem "likely" to be the 
real thing; and pilot knowledge of S-99), the probability that the 11 I'gMluhw. go- 





















wiriT* would be feeling thb strain even at that level, 

H« would have received a briefing on his positive control orders. Did 
the intensity of that briefing really reflect the fact that he might be under 
tMs level of pressure ? Can any briefing, by itself, really ensure compliance 
under these conditions? 

This isn't the whole story. Suppose that he does consider going ahea£; 
presumably he will try to check the situation first. His orders in SACM *S>-8 
allow him—if he doesn't get a go-ahead signal, to xfcw check by UHF with the 
UHF ground station nearest to the positive control line. But those ordersindicate 
that not all planes in the strike will be near enough to a UHF station (they men¬ 
tion that such planes must rely on the HF message from headquarters, coming back 
if they don't get a go-ahead). Such planes would probably try to communicate 

gwMBti*.bm HF (even though they are supposed to keep HF silence). 
Now the question becomes interesting: out of U00 planes in the air, ihat are 
the chances that one or more would be out of communication at this moment 
for "natural" causes? (Some planes would have to be out on both UHF and HF; 
some would merely have to be out on HF, not being close enough to a UHF ground 
station). 

FbanJt Eldridge and Bill Jones estimate this chance at definitely greater 
than 0) in fact, the expected number of planes that might try and fail 

to raise headquarters at this point looks greater than 1, These are the i 

interesting cases, 

ifr I haven't any detailed fixes to offer, if this is a problem, but three 
suggestions might at least indicate D a r Q rer the nature of the situation: 

a) It might be useful (though wxjnracfciwxxxi possibly dangerous) to run fully 
realistic combat alerts which allow the planes to go up to the positive control 
line,nd so that if a false alarm ever lets them get that far they won't 
assume that a war is almost certainly on. Of course, such an unannounced alert 
would have to take special precautions (e.g., planes monitoring the positive control 
points, backup radio facilities) to make sure that the behavior suggested above 
didn't occur the very first time. 

b) Pilots might be "protected" from the information in S-99} or, 

c) Briefings on the positive control orders might be repeated, much more emphatic¬ 
ally, frankly predicting the sort of pressures described above and reiterit&ig, 

"We know what you'll be thinking, but come back anyway." 

^Incidentally, I suspect that fc) without (a) would not be effective enough 

B,) Suppose that one pilot (say, one crew), decides that while it isn't certain 
that the war is on, the chances are good enough to justify going ahead, (He 
has tried to reach headquarters on HF but failed; he isn't near a UHF ground 
station). Or—to introduce a new possibility—suppose that he is one of Dele's 
madmen. Now, suppose that he w aild like to take few buddies with him: by sending 
them an apparently authentic "go-ahead" signal. 

Whether or not these conditions seem likely* I find it interesting that it 

appears he would able to do this. _ , 

According to SACM £P3, the alert pilot has in his plane (or on his 

person) an envelope which has a group of code numbers on the outside and another 
group on the inside. An authentic go-ahead signal consists of a message giving 
two groups of numbers, the first corresponding to the group on the outside, the 
second corresponding to the group on the inside. (After receiving a xisg sxgna 
giving the kexxxxk numbers on the outside of his envelope, the pilot opens the 
envelope and checks the numbers on the inside; if they also match, he has received 
an authenticated signal). 





















f 


Question! Are these two groups 6f numbers the same for all alert planes 
in the air? Jones, Mills, Eldridge and Wakeley think that the answer is "Yes," 
Then, any pilot can open his envelope and learn the entire authenticated 
message. 

He could broadcast this over HF, and the whole alert force would assume 
itself to be hearing the go-ahead signal. This was my first fantasy; the 
trouble with it is that headquarters would be monitoring HF, and they would , 
know that someone was playing a joke. Much cleverer for him, then, to wait 
till he reached the positive control line and then broadcast over UHF to 
planes within hearing (his cell, say)j "I just received a very faint signal, 
interrupted several times, over HF; here it is," 

Note: according to Mills, alert planes are ordered to relay such orders 
let by UHF to each other.v And, although they might check x the failure to 
receive a go-ahead signal with a ground station, it isn't obvious that they 
would check up on x what appeared to be a perfectly clear directive, 

(This in itself suggests the possibility that one plane might get the 
order on HF when others failed to do so.) Cour> I 

This "problem" may be based only upon/lack of information. If the possibility 
does exist, it still seems to many people to be too bizarre to worry about. But 
if we are worried at all about the madman case (and if we aigrt worry about the 
behavior I discussed earlier, which would not require a madman at all), we 
should be worried about the ability of a madman to carry a cell with him. 

Possible fixes: new procedures for checking instructions; back-up commun¬ 
ications itkixxjQEC (these possibilities merely make this more urgent); a "com¬ 
bination lock" for weapons; separate authentication for different planes (this 
may be infeasible because of time constraints; on the other hand, can't 
there be parallel transmission on ±k different frequencies?). 


C) Sup pos e - th a t ■ th e- pl an-for- -putting^jadlo- transml t Lera in 500~ICBMs - goe g » 
t hroug h. Suppose that, as the alert planes are approaching the positive 
control line, a US ICBM goes over their heads twrw towards Russia, either because: 
a) "premature discharge," all of the ICBMs having suddenly gone on combat alert, 
or (4f t hi q- is (b) a "madman r " wha-has chosen this plausible 

moment, ^ i 

Suppose that this ICBM is one of the 500 or so that^have had radio trans¬ 
mitters installed. If those transmitters have some canned messages in them, then 
the airborne pilots might hear this one chanting, "Follow me," on UHF, If they 
don't have earned messages in them, the madman might have put this one in. If 
neither of these occur, it still seems possible (to me, in my ignorance) that 
this transmitter might be emitting some sort of signal, which might have the 
minimum significance to the listening pilotsftxw^ctgxthxxsthgrxi&B: " I am going ," 
Add this to the worries mentioned under (A), and you might_jj«t a siren song, 

(Note: if there were more an "accidental discharge"—or if there were more than 
one—in the course of x what seemed to be a false alarm, SAC headquarters no doubt 
would be doing a good deal of soulsearching as to whether this didn't "compel" 
them to go ahead. Some pilots might even itKmjnti reason this out for themselves;, . 
but I doubt whether they should be encouraged tt do so. And the notion might even 
tempt &A£ a few SAC planners that a pilot who heard ICBMs talking overhead should 
follow them unless he received an order to return . Perhaps we should be prepared 
to deal with this argument.) 




















